This article provides an overview of the security aspects of this connector. The focus areas are secure connectivity, data protection, authentication, authorization, and auditing.
- Secure Connectivity
The OpsLogix ServiceNow Connector uses HTTPS for secure, encrypted communications between SCOM, Azure and ServiceNow. The use of HTTPS ensures that all communications between the platforms are encrypted in transit, reducing the risk of sensitive data being intercepted or manipulated.
- Data Protection
The connector does not store any incident data. When SCOM generates an alert, the connector transforms this alert into a ServiceNow incident and forwards it immediately. The data remains in transit only for the duration of the transmission, which minimizes the risk of data exposure.
- Authentication
The OpsLogix ServiceNow Connector leverages two different yet robust authentication mechanisms to establish secure connections between SCOM, Azure, and ServiceNow.
For the connection between Azure and ServiceNow, the connector employs OAuth 2.0, a widely accepted authentication protocol. By default, OAuth 2.0 is used for authenticating with the ServiceNow API.
The authentication between SCOM and Azure is established through the use of an API key. This key, generated uniquely within Azure, allows SCOM to securely connect and communicate with the Azure-hosted OpsLogix ServiceNow Connector. The API key acts as a secret identifier, validating the requests made by SCOM and ensuring they originate from a trusted source.
By utilizing OAuth 2.0 and API keys, the connector ensures secure, authenticated connections across SCOM, Azure, and ServiceNow. It is crucial to manage and protect these authentication methods properly, storing API keys securely and managing OAuth 2.0 tokens appropriately, to maintain the overall security of the system.
- Authorization
The OpsLogix ServiceNow Connector has been designed following the principle of least privilege (PoLP). This is a computer security concept in which a user or a program is given the minimum levels of access necessary to perform its function. By assigning the connector only the permissions it needs, it reduces the potential risk surface and minimizes the potential damage from accidental or malicious actions.
The connector requires only specific permissions to interact with ServiceNow: create, read, update, and delete (CRUD) operations on incidents. It doesn't have any unnecessary permissions beyond these CRUD operations. This specific access ensures that the connector can perform its incident management tasks effectively while reducing potential security risks.
Limiting access rights in this manner helps mitigate the potential impact of a security breach. If, for example, a malicious actor were to gain control of the connector, their actions would be restricted to the permissions granted to the connector. As the connector is only permitted to perform CRUD operations on incidents, the attacker could not misuse it to access other parts of ServiceNow or perform actions beyond the scope of these operations.
Moreover, the adoption of the least privilege principle extends not only to the connector's interaction with ServiceNow but also with its hosting environment in Azure. The OpsLogix ServiceNow Connector has minimal permissions within the Azure environment and only has access to resources necessary for its operation.
By strictly adhering to the principle of least privilege, the OpsLogix ServiceNow Connector minimizes the potential risk of unauthorized actions, thereby enhancing the overall security of the integrated SCOM-ServiceNow system. It is recommended to periodically review and update these permissions to ensure they continue to align with the connector's functionality and the evolving security landscape.
- Auditing
The OpsLogix ServiceNow Connector, is hosted in Azure and leveraging Azure Functions for streamlined, event-driven operations, generates logs for all actions it performs. These logs are not only preserved within SCOM and ServiceNow but also efficiently collected and analyzed using Azure Log Analytics (when enabled)
As a cloud-based service, Azure Log Analytics offers the capability to readily scrutinize log data generated by the connector from a centralized platform. This integration empowers administrators with the ability to conduct detailed queries, visualize data patterns, and ensure long-term retention of logs.
- Security Best Practices
To further enhance the security of the OpsLogix ServiceNow Connector, it is recommended to:
- Limit the access to the configuration console to selected IP addresses, or IP address ranges.
- Limit the access to the ServiceNow connector Azure endpoint by scoping the allowed IP addresses.
- Utilize strong, unique credentials for authentication.
- Regularly review authorization settings to ensure they align with the principle of least privilege.
- Continually monitor and review logs for any unusual or unexpected activity.
- Conclusion
While the OpsLogix ServiceNow Connector for SCOM provides secure data transmission and access controls, it is essential to follow security best practices and regularly review and update security configurations to maintain the highest level of security possible.